Created attachment 475097 [details]
git patch file (master)
The reported problem was caused by the bug in ldbm_attrcrypt.c which did not expect to have an external PKCS #11 token. This patch successfully initializes ldbm_attrcrypt.
But ldbm_attrcrypt fails once trying to encrypt an attribute. e.g.:
dn: cn=givenname,cn=encrypted attributes,cn=userRoot,cn=ldbm database,cn=plugi
nsEncryptionAlgorithm: AES [ or 3DES ]
[..] attrcrypt - _back_crypt_crypto_op: failed on cipher AES : -8192 - An I/O error occurred during security authorization.
[..] - Error: attrcrypt_crypto_op_values failed in attrcrypt_encrypt_entry
[..] - attrcrypt_encrypt_entry failed in id2entry_add
Created attachment 475673 [details]
git patch file (master)
1. To retrieve a certificate from an external token (i.e., not
"internal (software)"), "<token>:<cert_nickname> should have
been passed. The <token> part was missing.
2. The key to be used for encryption and decryption internally
needs to have ENCRYPT and DECRYPT attribute set, respectively.
The correct attributes were not set. Note: these attributes
are automatically set for the softoken in nss, but not for the
external token. This is why attrcrypt worked for the softoken,
but not for the external token. The attributes need to be set
when the key is generated as well as when the key is unwrapped.
3. Adding a code to check if the underlying system supports the
cipher or not before generating a key. If it is not supported,
it issues a message not to choose the cipher for the attrcrypt/
changelog encryption. If none of the ciphers are supported and
if attrcrypt/changelog encryption is enabled, the server fails
Reviewed by Nathan (Thank you!!!)
Pushed to master.
$ git merge 624547
ldap/servers/slapd/back-ldbm/ldbm_attrcrypt.c | 141 ++++++++++++++++++++----
ldap/servers/slapd/proto-slap.h | 3 +
ldap/servers/slapd/security_wrappers.c | 36 ++++++-
3 files changed, 151 insertions(+), 29 deletions(-)
$ git push
Counting objects: 17, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (9/9), done.
Writing objects: 100% (9/9), 3.26 KiB, done.
Total 9 (delta 7), reused 0 (delta 0)
7ece306..57dcdf1 master -> master
I tried to verify this bug. But I was not able to setup ds (use the wizard and generate key pair to setup ssl certs) with our newest nethsm6k.dsdev.sjc.redhat.com. that hardware token is in fips mode. my machine is selinux permissive. I'm still troubleshooting the problem.